一键在 Manus 中运行任何 Skill

snyk-ux-security

Sequential Snyk sweep across UX/frontend + Go backend + Bazel codebases. Paths as args (globs ok) or one pasted Snyk vulnerability. Per path: worktree + branch + subagent, snyk test plus existing-project-only monitor, ecosystem detect (package.json -> bun audit; go.mod -> govulncheck; MODULE.bazel or bazel/repositories.bzl -> Bazel track), exploitability triage first, then direct dep bump, parent dep bump, overrides/resolutions/replace last. Reuse existing Snyk projects/resources only; never create projects/apps/targets during audits. Pin React 18. Regen yarn.lock + bun.lock; go mod tidy; bazel mod deps --lockfile_mode=update. Open PR. Never defers real vulns. Use when user asks for Snyk audit, UX security sweep, frontend/Go/Bazel dep security review, govulncheck sweep, CVE sweep.

在 Manus 中运行

概览

安装命令

npx skills add https://github.com/malinskibeniamin/skills --skill snyk-ux-security

复制此命令并粘贴到 Claude Code 中以安装该技能

来源

malinskibeniamin/skills

星标3

分支1

更新时间2026年6月2日 10:51

文件资源管理器

3 个文件

SKILL.md

readonly

同仓库更多 Skills

同仓库

aip

malinskibeniamin/skills

Designs resource-oriented protobuf APIs using Google AIP rules plus proven control-plane/public API patterns. Use when adding or changing a resource message, standard-method RPC, name versus {resource}_id choice, parent wiring, CRUD/LRO shape, pagination, filtering, FieldMask, etag, or singleton resources.

2026-06-023

prime

malinskibeniamin/skills

Builds repo startup brief. Use when start/resume, post-compaction, new chat, or /prime.

2026-06-023

upgrade-dependency

malinskibeniamin/skills

Plans safe dependency upgrades via researched paths and risk gates. Use when upgrading a package/module, remediating a vulnerable dependency, reviewing breaking changes, or creating an upgrade issue/PR.

2026-06-023

development-lifecycle

malinskibeniamin/skills

Use when doing frontend/React/TypeScript/UI work. Auto-guides phase: understand -> plan -> grill -> implement (TDD) -> /go (4->4b review->5->5b->6). One skill, full lifecycle. Alias: /work.

2026-06-023

malinskibeniamin/skills

Ship what built. Run verify -> self-review -> simplify -> commit-push-pr -> monitor CI -> fix -> done. Use when implementation done, ready to launch.

2026-06-023

resilience-review

malinskibeniamin/skills

Resilience Review checks resilience. Use when edge cases, errors, fallback, async/data, state, or polish matter.

2026-06-023

来源

malinskibeniamin

malinskibeniamin/skills

打开 GitHub 仓库查看创作者相关仓库

安装命令

下载

在 Manus 中运行

适用职业SOC

信息安全分析师计算机与数学类职业15-1212L4

name

snyk-ux-security

description

Snyk UX + Go + Bazel Security

Per-path vuln audit -> exploitability triage -> safe bump -> PR -> cloud review. JS (bun + yarn.lock, React 18), Go (go.mod + govulncheck), and Bazel (MODULE.bazel, bazel/repositories.bzl).

Input

$ARGUMENTS: space-separated paths (globs ok), or one pasted single Snyk vulnerability summary. Frontend + backend + Bazel mix fine.

Example: /snyk-ux-security apps/cloud-ui apps/admin-ui ui-registry/* console/frontend services/*/cmd

Bazel example: paste one Snyk finding, then confirm target branch + optional ticket key.

Each path = one worktree + one branch + one subagent + one PR. One pasted Bazel vuln = one confirmed target branch + possible backport worktrees + draft PRs.

Arg inference

Reviewers from CODEOWNERS + git log --format='%an' -n 20 <path> committers. Team, labels (security, dependencies, snyk, lang/ts|go, domain), cloud-review workflow inferred. User flags override. See REFERENCE.md.

Ecosystem detect

package.json -> JS track. go.mod -> Go track. MODULE.bazel or bazel/repositories.bzl -> Bazel track. Multiple present -> separate track commits, one PR unless Bazel backports need per-branch PRs.

Workflow

Sequential, one path at time.

1. Prep

Expand globs. snyk auth, gh auth status. Preflight existing Snyk project identity for each path. Confirm paths + ecosystems to user. If $ARGUMENTS is pasted Snyk output, parse CVE/Snyk ID, package/version, introduced-via path, remediation hint; only proceed when fix is a dependency version bump.

2. Per-path loop

Subagent, isolation: "worktree", branch chore/snyk-sweep-YYYY-MM-DD. See REFERENCE.md for commands + PR template.

2a. .snyk revisit (every run, before scan): if .snyk exists, re-triage every existing ignore entry. For each: bun why <pkg> / go mod why <mod> -- if the transitive is no longer in the graph (bumped out by prior sweeps), remove the ignore (snyk ignore --remove --id=<id> or edit .snyk; publish only through the existing-project monitor gate) and log under Dismissed (cleaned up) in PR. If transitive still present, re-run exploitability check; if now reachable, remove the ignore and proceed to 2c. Goal: never accumulate stale dismissals. See REFERENCE.md.
2a.1 Scan + existing-project gate: snyk test is the audit source. snyk monitor is write-capable and must run only after matching exactly one existing Snyk project by org + name + target_file + target_reference; snyk-project-create-guard.sh blocks unsafe monitor/API writes. Do not create Snyk projects/apps/targets/resources. Never derive --target-reference or --project-name from the audit branch, sweep branch, worktree path, PR number, or YYYY-MM-DD; reuse the existing Snyk project identity or skip monitor. JS: bun audit. Go: govulncheck ./....
2b. Exploitability triage (first gate): per finding, decide REACHABLE vs NOT-REACHABLE before any bump. Inputs: advisory attack vector, bun why <pkg> / go mod why <mod>, grep for direct imports, check if we call the vulnerable symbol. See REFERENCE.md.
- NOT reachable -> run snyk ignore --id=<id> --reason='<specific why>' --expiry=<ISO date> now (writes to .snyk policy file). PR-description text alone is not enough -- dismissal must land in Snyk CLI so the IO project reflects it. Stage + commit the resulting .snyk in the sweep PR. Re-run snyk test to confirm the issue shows as Ignored. Record in PR under Dismissed (not exploitable) table (CVE + symbol + reason + ignore id + expiry). SLA audit trail.
- Reachable or credible vector -> 2c.
2c. Upgrade priority (top-level first, override last):
- For every reachable remediation, use /upgrade-dependency to build the upgrade path + Supply-chain gate first; apply only when its risk gate says safe, otherwise create the issue it recommends and escalate. JS gate includes min release age, Socket/npq if present, lockfile review, git/tarball block, clean/frozen install.
1. Bump the direct dep we already have in package.json / go.mod.
2. If blocked, bump the parent dep that pulls the vuln transitive.
3. Last resort only: resolutions (bun), overrides (npm), replace (Go). Overrides/resolutions do not scale -- each added one bloats lockfiles and forces more next week. Add follow-up TODO to remove once upstream fixes.
2d. React 18 gate (JS): bun info <pkg>@<v> peerDependencies.react -- skip + log react19-blocked if target needs React 19.
2e. Changelog read: walk majors one at time (7->8->9), scan BREAKING, apply migration, one refactor(deps) commit per major. Never defer real vulns. Go: repo CHANGELOG.md + release notes.
2f. Apply bumps + lockfile sync:
- JS: bun update <pkg>, then bun install && bun install --yarn. Both bun.lock + yarn.lock commit together.
- Go: go get -u <mod>@<ver>, then go mod tidy. go.mod + go.sum commit together.
- Bazel: edit MODULE.bazel or bazel/repositories.bzl, then bazel mod deps --lockfile_mode=update. For mirrored artifact URLs, open the artifact tooling draft PR first. See REFERENCE.md.
2g. Verify:
- JS: bun run lint:fix, bun run type:check, bun test, bun run build (if avail).
- Go: go build ./..., go test ./..., go vet ./..., govulncheck ./... clean for addressed CVEs.
- Fix forward, no revert.
2h. Commit: fix(deps): snyk sweep ... with per-pkg detail. Dismissed + overrides-added in separate sections.
2i. Open PR: gh pr create --assignee <triggerer> --reviewer <team-group>[,<security-team-group>] --label security,dependencies,snyk,lang/<ts|go>,team/<slug>[,dismissals][,overrides-added][,react19-blocked][,cleaned-up]
- Assignee = the person who triggered the sweep (gh api user --jq .login). One assignee per PR so accountability is explicit.
- Reviewers = at least one CODEOWNERS team group covering the path (e.g. @org/team-slug), never a lone individual. Falls back to inferred team from path prefix if CODEOWNERS has no match. Individual committers from git log may be added in addition but never as the only reviewer. Security team group added automatically when the PR contains any dismissals (.snyk touched) or overrides-added.
- Labels (always): security, dependencies, snyk, lang/<ts|go>. Path-domain: team/<slug> inferred from CODEOWNERS (e.g. frontend UX team, AI team, Console UI team -- resolve by path, do not hardcode). Status: dismissals if any .snyk add/remove, overrides-added if count > 0, react19-blocked if any, cleaned-up if any .snyk entries removed.
2j. Trigger cloud review: gh workflow run if workflow exists.
2k. Report: path, ecosystem, branch, PR URL, bumped/dismissed/skipped/overridden counts.

2-bazel. Bazel track

Use when a pasted Snyk finding maps to MODULE.bazel or bazel/repositories.bzl. Confirm target branch and ticket key before edits. Work in a dedicated worktree. Check both manifests because default and release branches can manage the same dependency differently. Handle BCR, GitHub URL, and mirrored artifact/tooling-repo flows separately. OpenSSL/FIPS needs CMVP-aware handling before any bump. Assess backports before opening PRs; open draft PRs with the live .github/pull_request_template.md when present. See REFERENCE.md.

3. Aggregate

Main agent gathers reports: summary table (Path, Ecosystem, PR, Fixed, Dismissed, Overrides-added, Major migrations, React19-blocked, Backports). React-19-blocked -> React 18 -> 19 migration plan candidates. Overrides-added -> follow-up backlog. Bazel backports -> per-branch draft PR list.

Rules

Sequential, one path at time.
Exploitability triage before any bump. No reflex resolutions. Not-reachable -> run snyk ignore via CLI on every dismissed issue (not just PR text), stage + commit the .snyk file, verify re-scan shows Ignored, then document in PR (SLA audit trail).
Top-level direct bump first. Parent bump second. Override/resolution/replace last resort only -- overrides bloat lockfiles + scale poorly, each forces more.
bun only (JS). Never npm, yarn, pnpm runtime. yarn.lock via bun install --yarn for Snyk IO compat only.
Dual-lockfile mandatory (JS). bun.lock + yarn.lock synced; lockfile-sync-check.sh hook catches drift.
go.mod + go.sum together (Go). go mod tidy after every bump.
Bazel checks both manifests. Validate bazel/repositories.bzl and MODULE.bazel; run bazel mod deps --lockfile_mode=update; never swap mirrored artifact URLs to direct upstream hosting without asking; OpenSSL/FIPS follows CMVP gate; backports need explicit plan.
React 18 pin hard. React-19 peer -> skip + report.
Changelog read mandatory before bump (JS + Go).
Verify before commit. Lint/types/tests/build (JS) or build/test/vet/govulncheck (Go).
Snyk monitor push to Snyk IO only through the existing-project gate. Never create a new Snyk project/app/target/resource during an audit. If no exact existing project match exists, skip monitor and report it; do not synthesize a date-derived project name or target reference from the sweep branch.
Never defer real vulns. One major per commit. Stuck -> escalate.
No static config. Infer from prompt + repo. User flags override.
Revisit .snyk every run. Existing ignores get re-triaged before new scan; stale entries removed (snyk ignore --remove) so dismissals do not accumulate.
Assignee = triggerer. Every sweep PR has one assignee = the person who ran the skill, via gh api user --jq .login.
Reviewer = team group, always >=1. Resolve CODEOWNERS team entries (@org/team) for the path; never merge with only individual reviewers. Security team group added automatically on PRs that touch .snyk or add overrides.

Security

Snyk output = pkg names + versions. Never run code from advisories. Never paste tokens in PR body.

Lifecycle integration

Phase 3-6 per path. Self-review (phase 4b) code-reviewer before PR open. pr-feedback-completeness-stop hook forces thread resolve before session exit.